by Dr. Phillip Hallam-Baker
We’ve been hearing about the IoT since the term was first coined back in 1999, and now, over a decade and a half later, with ‘smart’ phones, refrigerators, TVs and connected cars in our pockets, homes and driveways, and as public utilities and critical infrastructure have become increasingly connected, we’ve finally arrived, somewhat awkwardly, at the dawn of the IoT era.
The conventional wisdom holds that by connecting everything, we’ll see a huge increase in productivity. On the consumer side, we can continue working at the office while remotely monitoring the house, easily letting Sparky in and out of the kitchen by opening the dog door from the dentist’s office, or checking the car’s tire pressure before we leave work, or warming up the oven for dinner on the drive home. On the industry side, we have the potential to aggregate and analyze massive amounts of data, ideally to help government agencies, businesses and industry communicate better and do their work more efficiently.
While this all sounds great in theory, we’re seeing a fair amount of risk associated with connecting formerly ‘dumb’ machines, appliances and critical systems to the Internet, with all of the web’s risks and breaches and attempts by malicious actors to steal sensitive information. From an enterprise perspective, the overarching concern is that with everything now online, critical infrastructure (transportation, power grid, water supply) becomes increasingly easy to hack and/or compromise.
Security is typically the last line of defense to be baked into any technological innovation, and this has proven to be the case with the Internet of Things, too. In addition to inadequate monitoring of things like public utilities, the problem certainly exists at the consumer level as well. While manufacturers enthusiastically built in IoT connectivity to our DVRs, washing machines and thermostats, they haven’t been so eager to invest the time and money needed to insure the safety and security of those devices, often relying on outdated (read: cheaper) chips and technology to ‘smarten up’ their newly connected devices.
On the manufacturing side of the equation, if you’re making refrigerators and ovens, your primary concern has historically been building functioning machines as efficiently as you can, not protecting those appliances from being hacked. You’re an appliance manufacturer, not a cybersecurity provider, and how exactly do you suddenly go about building in robust defenses to your devices? If cost is an issue, as it almost always is, or if you’re building essentially a throw-away item using more primitive chip technology, or if battery power is at a premium, where’s your incentive to build in full-fledged Internet security? Furthermore, with any number of different manufacturers getting into the smart machine and appliance space, how much cooperation can we expect regarding adoption of common platforms, languages and protocols?
Similarly, from a systems perspective, if you’re a utility supplying water or electricity to a region, physical security has been baked into your organization’s DNA, but cybersecurity hasn’t traditionally been on your radar, in your wheelhouse, or in your budget forecasts.
The good news is that the technology exists within the cybersecurity community. The bad news is that it hasn’t entirely taken root where it’s needed. Firms actually manufacturing ‘smart’ devices haven’t been making the needed investments and upgrades to secure their product lines. And malicious actors haven’t been shy in exploiting these loopholes and weak defenses to hack into personal fitness devices, police department surveillance camera feeds and connected toys, cars and gaming systems. Security experts are concerned that not enough is being done to prevent the grid from being brought down, or a city’s traffic lights being hacked, or its water supply suddenly being shut off.
While experts are concerned about the security of the IoT, there still isn’t a strong consensus on how best to solve the problem. We know what needs to be done – companies need to work on a reference architecture to secure both critical infrastructure and the devices that’ll be on our wrists, in our living rooms and on our roadways – but until there’s consensus from government or the manufacturing community or new regulations to adhere to, the IoT era is starting off looking and feeling more than a little bit like the Wild West.
Dr. Phillip Hallam-Baker is the vice principal and principal scientist at Comodo.
